Go Package Dependencies

Did you know that when you import or install a Go package, the dependencies that are actually downloaded and built may be a significantly smaller subset of the modules listed in the go.mod file? This is because go.mod lists the dependencies of every package in the module (including packages you never use), for every possible build configuration, including test-only dependencies.

This page uses the go list -deps command to list the true dependencies of a Go package, to help you assess the risk of using a third-party package.

Enter a package import path to analyze. You can specify patterns (e.g. software.sslmate.com/src/sourcespotter/cmd/...) and/or versions (e.g. software.sslmate.com/src/sourcespotter@v0.0.5). If no version is specified, the latest version is analyzed.

Methodology

Create a temporary module.
Run go get PACKAGE to download the specified package.
Run go list -deps -f "{{if .Module}}{{.DepOnly}} {{.Module.Path}} {{.Module.Version}} {{.ImportPath}}{{end}}" PACKAGE. Checking for .Module excludes packages in the standard library. .DepOnly is used to distinguish between packages in the same module as PACKAGE and packages in a dependency.
The output of go list is grouped by module path and version and rendered below.

Options

Target: Build tags: Include test dependencies First party:

Modules beneath this path are labeled first-party dependencies.

Package: